IP Addresses and the Domain Name System (DNS) are two core elements of Internet infrastructure that have been working together for a long time – the DNS typically being referred to as the “telephone book of the Internet” – to map human readable domain names to IP addresses.

As core building blocks, these technologies can be leveraged together to create interesting solutions to common networking problems. A recent trend is to use commodity Internet access purchased from local Internet Service Providers (ISPs), plus a Virtual Private Network (VPN), to create a secure channel for information to flow between enterprise locations.

This technique is used by many enterprises to create a cost-friendly alternative to traditional and expensive frame relay, ATM, point-to-point T-1 or MPLS services.

The Problems

Dyn - DNS VPN - Tom Daly

IP address allocation planning and utilization is a common area of concern within enterprises choosing to deploy a VPN on top of commodity Internet access, such as Digital Subscriber Line (DSL), cable modem, or fiber, to the premises-based solutions.

Nearly all ISPs today default to providing subscribers with dynamically assigned WAN IP addresses, with fewer ISPs offering static WAN IP addresses as an option.

In some cases, when static WAN IP addresses are available, there is a charge associated with their utilization (recent market rates command up to $14.95 per month for a single static WAN IP address).

The need for ISPs to constantly evolve their network architecture and related capacity causes the need and desire to deploy dynamic IP addresses to their subscribers.

Additionally, the current exhaustion of IPv4 space requires ISPs to be far more conservative in their IP subnetting plans than they have in the past.

This leads to more renumbering and reallocation events than ever before, which also contributes to the desire to deploy a dynamically IP addressed environment. This is typically accomplished by running Dynamic Host Configuration Protocol (DHCP) in the ISP environment.

For enterprises deploying a secure VPN on top of commodity Internet connections, DHCP-assigned WAN IP addresses can create a unique challenge for IT administrators.

First off, it is nearly impossible to deploy a VPN hub using DHCP-assigned addresses due to the fact that remote VPN devices need to know where to connect to establish their secure tunnels. This is typically addressed by deploying static WAN IP addresses at the VPN hub location, typically at the enterprise headquarters or the enterprise data center.

Second, when VPN connections fail in a DHCP-assigned environment, administrators are typically left without a mechanism to remotely troubleshoot, diagnose, and rectify the connection problem, leading to expensive on site service calls.

The Solution

Dyn’s DynECT Managed DNS is uniquely positioned to assist enterprises in bridging the gap between dynamic and static IP address environments by tying in domain names and the DNS to the environment. For the VPN hub, Dyn’s support for Dynamic DNS, a protocol extension to the DNS, allows for the remote updating and re-mapping of DNS hostnames as dynamic IP addresses change, nearly in real time.

This capability creates an abstraction layer between the WAN IP address assigned to a device and the fully qualified domain name (FQDN) of the device itself.

Dyn - VPN Gateway

Rather than establishing VPN connections via IP address, connections are made to device FQDNs, enabling the network to reconfigure itself via DHCP as needed, but maintaining a solid mapping via DNS to the hardware device.

For the remote VPN device, Dynamic DNS also assists in the remote administration and troubleshooting of that device. By assigning FQDNs to remote devices, administrators can simply connect to a FQDN to access that device, knowing that any changes to the WAN IP address of the device will be updated in the DNS in nearly real-time.

To support Dynamic DNS, devices simply need to support the industry standard DynDNS update protocol, developed and supported by Dyn since 1998. This HTTP-based update protocol provides a simple way to inform our network of globally deployed DNS servers of an IP address change.

Secure account provisioning for each remote device ensures that no weaknesses are exposed in managing the network. Devices may be provided individual credentials, or shared credentials may be installed across multiple devices for ease of deployment. Upon detecting a WAN IP address change, devices use the Dynamic DNS update protocol to quickly inform Dyn’s DNS servers of the change, causing the related FQDN to be updated.

From a security perspective, customers can rest assured that the same level of security is delivered by the VPN solution, and that by using Dynamic DNS, no additional threat vectors are exposed for customers. A minimal trade off is exposed in that upon a WAN IP address change, a remote VPN gateway may become disconnected, and may need to wait up to 60 seconds before re-connecting the VPN network.

Competitive Comparison: Static IP Addresses vs. Dynamic DNS

Static WAN IP Address DHCP WAN IP w/Dynamic DNS
Deployment Mode Limited support; varies by ISP Universally supported regardless of ISP.
Network visibility Limited to IP address inventory Fully qualified domain names assigned to each remote device
Remote troubleshooting and administration Requires knowledge of per site addressing; inventory / documentation Simple to remember, up-to-date hostnames assigned to each device.
Cost Variable; cost per static IP address per location Fixed, cost of DynECT Managed DNS services